Web 2.0 in the Workforce Michelle Walden MSIS 68-595: Information Security Capstone Project May 2009 Table of Contents Abstract …………………………………………………………………………… 2 Company Background ……………………………………………………………. 2 History ……………………………………………………………………………. 2 How to spot Web 2.0 Applications ……………………………………………….. 5 Factors of Web 2.0 ………………………………………………………………... 5 Potential Threats …………………………………………………………………... 5 Web 2.0 Sites ……………………………………………………………………… 7 Consequence of not having a Policy ……………………………………………… 9 Policy ……………………………………………………………………………… 10 1.0 Overview ……………………………………………………………… 10 2.0 Purpose ………………………………………………………………... 10 3.0 Scope ………………………………………………………………….. 11 4.0 Policy ………………………………………………………………….. 11 4.1 General Use …………………………………………………………… 11 4.2 Security and Proprietary Information …………………………………. 12 4.3 Unacceptable Use ……………………………………………………... 13 4.4 System and Network Activities ……………………………………….. 13 4.5 E-mail and Communications ………………………………………….. 14 4.6 Blogging, including Tweeting and Facebook …………………………. 15 5.0 Enforcement …………………………………………………………... 15 6.0 Definitions …………………………………………………………….. 16 Training ………………………………………………………………………….... 18 Training Topics ………………………………………………………….... 18 Training Objectives ……………………………………………………….. 18 Cost of Training …………………………………………………………………... 19 Assessment Plan …………………………………………………………………... 19 Conclusion ………………………………………………………………………… 22 References ………………………………………………………………………… 23 1 Abstract The purpose of this paper is to describe how to implement a policy to regulate usage of Web 2.0 in the workforce. Included in this paper will be the company background, history and sites of Web 2.0, consequences of not having a policy, how to spot Web 2.0 applications, factors of Web 2.0, potential threats, a description of the policy, training needed, cost of training and an assessment plan. Company Background The Softball Production Group is a mock company, used for example purposes only in this paper. The Softball Production Group is a marketing company that was established in 1990. The Softball Production Group has 300 regular employees and 50 temporary employees. The purpose of this company is to make and sell softball equipment. In 2004, the revenue was $8.9 million, but in 2009 the revenue dropped to $4.5 million. Currently, the company markets the equipment by phone and employees have limited internet usages; the internet usage is mainly for research. Also, the company has a web site of www.softballproductiongroup.com that helps to market the products, but this web site alone is not enough in today’s market. The Softball Production Group is looking to implement Web 2.0 to help the marketing team be able to network and collaborate the products they have to offer. History What is Web 2.0? If you ask any internet expert you will receive a variety of answers. Web 2.0 can mean different things to different people. There are several definitions of Web 2.0 that are on the internet: Web 2.0 = the web as a platform Web 2.0 = the underlying philosophy of relinquishing control Web 2.0 = globalization (―making global information available in local, social contexts and giving people the flexibility to find, organize, share and create information in a locally meaningful fashion that is globally accessible‖) Web 2.0 = an attitude not a technology Web 2.0 = when data, interface and metadata no longer need to go hand in hand Web 2.0 = action-at-a-distance interactions and ad hoc integration Web 2.0 = power and control via API (Applications Programming Interface) Web 2.0 = giving up control and setting the data free [1] 2 Some definitions may be contradictory, but each of these definitions contains certain characteristics of Web 2.0. Web 2.0 is a category of new Internet tools and technologies created around the idea that the people who consume media, access the internet, and use the web should not passively absorb what is available; rather they should be active contributors, helping to customize media and technology for their own purpose, as well as those of their communities. The key characteristics of Web 2.0 are: Web-based applications can be accessed from anywhere Simple applications solve specific problems Values lies in content, not the software used to display content Data can be readily shared Distribution is bottom-up, not top-down Employees and customers can access and use tools on their own Social tools encourage people to create, collaborate, edit, categorize, exchange and promote information Network effects are encouraged; the greater the number of people who contribute, the better the content gets [2] Web 2.0 is not just about the web, it is also about collaborative innovation and online- offline sharing. The way Web 2.0 came about was from a conference between Timothy O’Reilly and Media Live International. They did a brainstorming session in 2004, so Web 2.0 is still fairly new. The biggest feature of Web 2.0 is the rise of blogging; one of the features that made a big difference is having Really Simple Syndication (RSS). RSS is a way to easily distribute a list of headlines, update notices and sometimes content to a wide number of people. RSS works by having the website author maintain a list of notifications on their website in a standard way. This list of notifications is called an RSS Feed. People who are interested in finding out the latest headlines or changes can check this list. Special computer programs called RSS aggregators have been developed that automatically access the RSS feeds of websites you care about on your behalf and organize the results for you. (RSS feeds and aggregators are also sometimes called RSS Channels and RSS Readers.) [3] Timothy O’Reilly is the founder and CEO of O’Reilly Media. He is largely responsible for the Web 2.0 moniker and initial concept. Here is a summarization of Web 2.0 from Timothy O’Reilly ―Web 2.0 is the business revolution in the computer industry caused by the move to the internet as a platform and an attempt to understand the rules for success on that new platform. Chief among those rules is this: Build applications that harness network effects to get better, the more that people use them‖. [4] 3 Figure 1. Meme map of Web 2.0 [5] Here are some examples of Timothy O’Reilly’s descriptions of his four levels of the hierarchy of Web 2.0 sites: Level 0 are the websites that are capable of being worked on both online and offline mode. Some of the more classified example that belongs to this category and level are the Mapquest site, Yahoo!Local and Google mapping. Level 1 refers to the application websites that are capable of being worked and operated offline however, has gained online features. This means you will need to be directly connected to the Internet when you would like to make use of this feature. Level 2 refers to the applications that are capable of being operated and used offline but will essentially be strong and powerful when used and operated online. The Flickr website is one of the class examples that belong to this level of Web 2.0 web applications. 4 Level 3 are those applications that are basically Web 2.0 based. They are websites that practically work and exist when there is the Internet. Some of the more noted examples that belong to this category are Wikipedia, Craigslist and Google Adsense. [6] How to Spot a Web 2.0 Application Web 2.0 applications are more simple, responsive and usable. Not only do these sites seem to load and navigate more quickly, but they seem to anticipate the information you need. [7] Factors of Web 2.0 Every evolution is driven by key factors and this evolution of Web applications is no different. Social demands – Users need to find a way to interact and accomplish several activities such as reading news, mail, stock reports, etc. from one location. This can open up security issues around trusted information sources. Market pressures – Markets evolve in all industries segments, demanding business-to-business application layer interactions. This forces companies to adopt new technologies provided by Web services. Competing pressures – Competitors are moving ahead with applications scaled to run on Web 2.0 frameworks, forcing others to do the same to remain competitive. The race towards adoption of Web 2.0 framework puts extra pressure on developers and architecture. Technologies – Ever increasing market demands and competition have given rise to new technologies and frameworks. This is a key driving force behind industry and security vulnerabilities. New technologies mean new attack vectors, security holes and exploitation methods. Potential Threats There are potential threats that go along with Web 2.0, but having a secure policy in place can help to eliminate some of these threats. The following are a list of some potential threats that the Softball Production Group needs to be aware of: Entry Points - Web 2.0 applications are bound to open several entry points that are scattered throughout the application infrastructure. Multiple entry points to an application can increase the threat exposure and with it, the chances of developers coding errors occurring at each of these multiple entry points. 5 For example, RIA and Ajax driven applications use a lot of client side code to access backend applications and there are several resources buried in Ajax functions. This client side code gives an attacker a place to scan for all different endpoints or entry points to the system. Entry point scanning can lead to information disclosure and if a developer has a notion of having hidden entry points, it can backfire. Dependencies – Web 2.0 applications have multiple technologies, information sources and protocols. All three change vectors create security issues. Untrusted sources with callbacks can open serious security concerns. Many Web 2.0 applications use a callback mechanism to increase productivity and provide cross-domain access to data streams. This call back stream can become a potential threat for the end user. This callback URL can cause Cross- Site Request Forgery) CSRF and an attacker can access this information and send it back to the target site.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages26 Page
-
File Size-